Thousands of Verkada Cameras Affected by Hacking Breach

  /     /     /  
Publicated : 23/11/2024   Category : security


Thousands of Verkada Cameras Affected by Hacking Breach


Thousands of Verkada cameras have been affected by a breach from a group of hackers, who have reportedly gained access to surveillance systems inside several high-profile companies, police departments, hospitals, prisons and schools.



Organizations using the vendors cameras said to be affected include Tesla and software provider Cloudfare, while
Bloomberg has reported
that the hackers also gained access to footage inside psychiatric hospitals and health clinics.
The data breach is said to have been carried out by an international hacker collective, with one of the individuals involved explaining the reasons behind the attack were lots of curiosity, fighting for freedom of information… and its also just too much fun not to do it.
A Verkada spokesperson told Bloomberg that the company has disabled all internal administrator accounts to prevent any unauthorised access, and that its internal security team are investigating the scale and scope of the issue, and we have notified law enforcement.
The company has also set up a support line for its customers.
Many of the cameras utilize video analytics software, including facial recognition and tracking technology. The hackers have said theyve been able to access live feeds and archived video, as well as audio.
The breach was described as unsophisticated, with the hacking group using a super admin account to gain access, with the spokesperson from the collective saying they found the administrator username and password on the internet.
The news will likely raise further concerns over the inherent cyber protection in physical security devices — an issue experts have been highlighting for some time, as they call for growing awareness of potential vulnerabilities and the
uptake of converged security solutions
to cover both cyber and physical attacks.
In
IFSEC Globals Video Surveillance 2020 Report
, 76% of security end-users and consultants said they were either quite or very worried about the vulnerability of their surveillance systems to cyber-attacks, with almost half citing back doors created by manufacturers for customer support and troubleshooting as the main cause of concern. Inadequate protection within surveillance hardware was cited as the third biggest potential vulnerability in surveillance systems, too.
Sarb Sembhi, CTO & CISO at Virtually Informed, and regular contributor to IFSEC Global on the subject, commented: If the attackers are to be believed (and there is no reason not to believe them), then creating a device with default username and password that doesnt have to be changed on installation is most obviously bad practice. Especially, given that almost every mass CCTV system attack we hear of has been as the result of this very same issue. One would like to think that any security company, be it physical or cyber security understood the stakes of having high profile clients enough to at least get this one simple thing right.
I think it interesting that the vendor finishes by saying that law enforcement have been informed — as if that would make up for the fact that they have lapsed in their responsibility to change the admin password. However, a big a failing this may be, so far the industry doesnt seem to have come up with a simple solution for systems managers to be able to create, store and use passwords effectively, or to have added a second authenticating factor in such systems. If there were such solutions, it would reduce the internal discussion around how are we going to remember 150K passwords.
Elisa Costante, VP of Research at Forescout, added: Connected cameras are supposed to provide an additional layer of security to organizations that install them. Yet, as the shocking Verkada security camera breach has shown, the exact opposite is often true. In this case, the bad actors have seemingly only resorted to viewing the footage these cameras have captured. But they are likely able to cause a lot more damage if they choose to do so, as our own research team has discovered. We were able to intercept, record and replace real-time footage from smart cameras by exploiting unencrypted video streaming protocols and performing a man-in-the-middle attack. This effectively gives criminals a virtual invisibility cloak to physically access premises and wreak havoc in the real world.
In fact, based on our own research, the Verkada cameras are in widespread use within government and healthcare, leaving those organizations particularly vulnerable to these kinds of attacks. The only way for organizations to adequately protect themselves is to ensure they have a comprehensive device visibility and control platform in place.
This story first appeared on 
IFSEC Global
, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Thousands of Verkada Cameras Affected by Hacking Breach